Re: v2.8.4 incorrect logging to MySQL

[Jason Brvenik <jasonb () sourcefire com>]

It is also GPL which overcomes the QPL issues with maintaining the old
barnyard should the devs move on. The community can pick it up and
continue...

On Tue, Apr 14, 2009 at 2:19 PM, Jason Wallace
<jason.r.wallace () gmail com> wrote:
> Unified2 is truly "unified" meaning there is only 1 file for both
> alert and log data.
>
> Barnyard2 is actively supported. Last release was 07 Mar 09. I
> reported a bug last week. They got back to me with in a day or so,
> asked some questions, and said they are working on a fix. Contacted me
> again the other day for some config info from one of my boxes to help
> them with the fix.
>
> For an Open Source project, that passes my "supported" test. :)
>
> Wally
>
> On Tue, Apr 14, 2009 at 2:09 PM, Paul Schmehl <pschmehl_lists () tx rr com> wrote:
> > --On Tuesday, April 14, 2009 12:15:12 -0500 Joel Esler
> > <jesler () sourcefire com> wrote:
> >
> > > After talking with Jason, I am going to try and put some bandwidth into
> > > testing barnyard2.  See if it comes up for any of the short falls that
> > > barnyard1 had.
> > >
> > >
> > > Are any of the barnyard2 developers on this list?
> > >
> > >
> > > J
> > >
> > >
> > > On Tue, Apr 14, 2009 at 12:54 PM, Jason Wallace
> > > <jason.r.wallace () gmail com>
> > > wrote:
> > >
> > > I'll bite...
> > >
> > > I'd throw in a vote for this too, but out of curiosity... why unified
> > > over unified2?
> > >
> > > Either way, before you could do that there would have to be an
> > > "official" tool to read the binary file and output it to other
> > > formats. By official I mean something supported, documented (right on
> > > the snort web site), and, maintained so we know it will be there
> > > tomorrow and doesn't fade off into nothing like barnyard.
> > >
> > > Right now there are 3 options:
> > >
> > > Barnyard: http://www.snort.org/dl/barnyard/
> > > - Works with unified but not unified2
> > > - abandon ware
> > > - DB connection issues
> > >
> > > Barnyard2: http://www.securixlive.com/barnyard2/index.php
> > > - Works with unified and unified2
> > > - I have seen the same DB connection issues as with barnyard
> > >
> > > SnortUnified.pm: http://code.google.com/p/snort-unified-perl/
> > > - Works but not very well documented (no disrespect meant Jason)
> > > - Not sure about the DB connection issue. I have tried to use this a
> > > couple of times, I'm not the best with perl so the lack of doc's left
> > > me scratching my head.
> > >
> > > I wouldn't call any of these official. Recommended, but not official.
> > >
> > > Wally
> > >
> > >
> > >
> > >
> > > On Tue, Apr 14, 2009 at 12:08 PM, JJ Cummings <cummingsj () gmail com> wrote:
> > > > /me raises hand.. "I"
> > > >
> > > > On Tue, Apr 14, 2009 at 9:56 AM, Joel Esler <jesler () sourcefire com>
> > > > wrote:
> > > > > Seconded.
> > > > >
> > > > > On Tue, Apr 14, 2009 at 11:38 AM, Jason Brvenik <jasonb () sourcefire com>
> > > > > wrote:
> > > > > > Here is my vote to remove all output methods from the engine except
> > > > > > unified, to remove the code complexity. People are much better off
> > > > > > having two dedicated processes achieving a common goal than they are
> > > > > > with the code complexity and issues in the one code base.
> > > > > >
> > > > > > On Tue, Apr 14, 2009 at 8:31 AM, James Lay <jlay () slave-tothe-box net>
> > > > > > wrote:
> > > > > > > ________________________________
> > > > > > > From: Ron Jenkins <rjenkins () rmjcs net>
> > > > > > > Date: Mon, 13 Apr 2009 09:21:09 -0500
> > > > > > > To: 'Joel Esler' <jesler () sourcefire com>
> > > > > > > Cc: James Lay <jlay () slave-tothe-box net>, Snort
> > > > > > > <snort-users () lists sourceforge net>
> > > > > > > Subject: RE: [Snort-users] v2.8.4 incorrect logging to MySQL
> > > > > > >
> > > > > > > We are backing down from v2.8.4 until the new version can
> > > > > > > successfully
> > > > > > > write
> > > > > > > to the sensor and signature tables correctly.
> > > > > > >
> > > > > > > Until Soucrefire truly removes writing to the MySQL database and
> > > > > > > forces
> > > > > > > unified logging we see no reason to change at this time.  Yes the new
> > > > > > > rule
> > > > > > > changes are much wanted, but after reading on the mass issues on the
> > > > > > > snort
> > > > > > > forums with the new version we are holding off on the update.
> > > > > > >
> > > > > > > Thanks
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > I have to chime in and second this.  Though Unified might be best,
> > > > > > > for
> > > > > > > smaller shops, my perception is that barnyard is an added layer of
> > > > > > > complexity.  I run snort at the house on OS X...pretty much to catch
> > > > > > > the
> > > > > > > obvious dumb crap coming in from the outside world and to catch if
> > > > > > > the
> > > > > > > kids
> > > > > > > machines get something naughty.  Again, larger shops where IDS is
> > > > > > > mission
> > > > > > > critical should take the extra step, but small ones..eh...I’ve found
> > > > > > > that
> > > > > > > logging direct to mysql works well enough.  My 0.02 I guess.
> > > > > > >
> > > > > > > James
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ------------------------------------------------------------------------
> > > > > > > ------ This SF.net email is sponsored by:
> > > > > > > High Quality Requirements in a Collaborative Environment.
> > > > > > > Download a free trial of Rational Requirements Composer Now!
> > > > > > > http://p.sf.net/sfu/www-ibm-com
> > > > > > > _______________________________________________
> > > > > > > Snort-users mailing list
> > > > > > > Snort-users () lists sourceforge net
> > > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > > Snort-users list archive:
> > > > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > > >
> > > > > >
> > > > > >
> > > > > > --------------------------------------------------------------------------
> > > > > > ---- This SF.net email is sponsored by:
> > > > > > High Quality Requirements in a Collaborative Environment.
> > > > > > Download a free trial of Rational Requirements Composer Now!
> > > > > > http://p.sf.net/sfu/www-ibm-com
> > > > > > _______________________________________________
> > > > > > Snort-users mailing list
> > > > > > Snort-users () lists sourceforge net
> > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > Snort-users list archive:
> > > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974
> > > > >
> > > > >
> > > > >
> > > > > ---------------------------------------------------------------------------
> > > > > --- This SF.net email is sponsored by:
> > > > > High Quality Requirements in a Collaborative Environment.
> > > > > Download a free trial of Rational Requirements Composer Now!
> > > > > http://p.sf.net/sfu/www-ibm-com
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users () lists sourceforge net
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > >
> > > >
> > > > ----------------------------------------------------------------------------
> > > > -- This SF.net email is sponsored by:
> > > > High Quality Requirements in a Collaborative Environment.
> > > > Download a free trial of Rational Requirements Composer Now!
> > > > http://p.sf.net/sfu/www-ibm-com
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > This SF.net email is sponsored by:
> > > High Quality Requirements in a Collaborative Environment.
> > > Download a free trial of Rational Requirements Composer Now!
> > > http://p.sf.net/sfu/www-ibm-com
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > You've caught me by surprise.  As the port maintainer for barnyard (for
> > FreeBSD), I was unaware that work was ongoing on a new version of barnyard.
> > Furthermore, I didn't pick up the changes to unified output that were
> > introduced in snort 2.8.
> >
> > Is the barnyard2 project officially supported?  (Not that it matters for
> > purposes of a port for FreeBSD.  It would only mean I would create a new
> > port rather than update the existing one.)
> >
> > What are the advantages of unified2 over unified?
> >
> > --
> > Paul Schmehl, Senior Infosec Analyst
> > As if it wasn't already obvious, my opinions
> > are my own and not those of my employer.
> > *******************************************
> > Check the headers before clicking on Reply.
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users